Bug 2142469 (CVE-2022-37598) - CVE-2022-37598 uglify-js: Prototype pollution vulnerability in function DEFNODE in ast.js
Summary: CVE-2022-37598 uglify-js: Prototype pollution vulnerability in function DEFNO...
Keywords:
Status: NEW
Alias: CVE-2022-37598
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2142584 2144994 2144995 2144996
Blocks: 2136498
TreeView+ depends on / blocked
 
Reported: 2022-11-14 06:10 UTC by Sandipan Roy
Modified: 2024-03-02 05:32 UTC (History)
78 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A prototype pollution vulnerability was found in UglifyJS, stemming from the DEFNODE function in ast.js via the name variable. Exploiting this flaw involves adding or altering properties of the Object.prototype through a "__proto__" or constructor payload, enabling an attacker to execute arbitrary code or causing a denial of service on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Sandipan Roy 2022-11-14 06:10:00 UTC
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.

https://github.com/mishoo/UglifyJS/issues/5699
https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L46
https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L79


Note You need to log in before you can comment on or make changes to this bug.